/**
* Saves the settings.
*/
private final function _save()
{
$data = $_POST['setting'];
// CSRF checks
if (isset($_POST['csrf_token'])) {
$csrf_token = $_POST['csrf_token'];
if (!SecureToken::validateToken($csrf_token, BASE_URL . 'setting')) {
Flash::set('error', __('Invalid CSRF token found!'));
Observer::notify('csrf_token_invalid', AuthUser::getUserName());
redirect(get_url('setting'));
}
} else {
Flash::set('error', __('No CSRF token found!'));
Observer::notify('csrf_token_not_found', AuthUser::getUserName());
redirect(get_url('setting'));
}
if (!isset($data['allow_html_title'])) {
$data['allow_html_title'] = 'off';
}
use_helper('Kses');
$allowed = array('img' => array('src' => array()), 'abbr' => array('title' => array()), 'acronym' => array('title' => array()), 'b' => array(), 'blockquote' => array('cite' => array()), 'br' => array(), 'code' => array(), 'em' => array(), 'i' => array(), 'p' => array(), 'strike' => array(), 'strong' => array());
$data['admin_title'] = kses(trim($data['admin_title']), $allowed);
Setting::saveFromData($data);
Flash::set('success', __('Settings have been saved!'));
redirect(get_url('setting'));
}
/**
* @todo Merge _add() and _edit() into one _store()
*
* @param <type> $id
*/
function _edit($id)
{
$layout = Record::findByIdFrom('Layout', $id);
$layout->setFromData($_POST['layout']);
// CSRF checks
if (isset($_POST['csrf_token'])) {
$csrf_token = $_POST['csrf_token'];
if (!SecureToken::validateToken($csrf_token, BASE_URL . 'layout/edit')) {
Flash::set('error', __('Invalid CSRF token found!'));
redirect(get_url('layout/edit/' . $id));
}
} else {
Flash::set('error', __('No CSRF token found!'));
redirect(get_url('layout/edit/' . $id));
}
if (!$layout->save()) {
Flash::set('error', __('Layout has not been saved. Name must be unique!'));
redirect(get_url('layout/edit/' . $id));
} else {
Flash::set('success', __('Layout has been saved!'));
Observer::notify('layout_after_edit', $layout);
}
// save and quit or save and continue editing?
if (isset($_POST['commit'])) {
redirect(get_url('layout'));
} else {
redirect(get_url('layout/edit/' . $id));
}
}
/**
* @todo merge _add() and _edit() into one _store()
*
* @param <type> $id
*/
private function _edit($id)
{
use_helper('Validate');
$data = $_POST['user'];
Flash::set('post_data', (object) $data);
// Add pre-save checks here
$errors = false;
// CSRF checks
if (isset($_POST['csrf_token'])) {
$csrf_token = $_POST['csrf_token'];
if (!SecureToken::validateToken($csrf_token, BASE_URL . 'user/edit')) {
Flash::set('error', __('Invalid CSRF token found!'));
redirect(get_url('user/edit/' . $id));
}
} else {
Flash::set('error', __('No CSRF token found!'));
redirect(get_url('user/edit/' . $id));
}
// check if user want to change the password
if (strlen($data['password']) > 0) {
// check if pass and confirm are egal and >= 5 chars
if (strlen($data['password']) >= 5 && $data['password'] == $data['confirm']) {
unset($data['confirm']);
} else {
Flash::set('error', __('Password and Confirm are not the same or too small!'));
redirect(get_url('user/edit/' . $id));
}
} else {
unset($data['password'], $data['confirm']);
}
// Check alphanumerical fields
$fields = array('username');
foreach ($fields as $field) {
if (!empty($data[$field]) && !Validate::alphanum_space($data[$field])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field));
}
}
if (!empty($data['name']) && !Validate::alphanum_space($data['name'], true)) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => 'name'));
}
if (!empty($data['email']) && !Validate::email($data['email'])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => 'email'));
}
if (!empty($data['language']) && !Validate::alpha($data['language'])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => 'language'));
}
if ($errors !== false) {
// Set the errors to be displayed.
Flash::set('error', implode('<br/>', $errors));
redirect(get_url('user/edit/' . $id));
}
$user = Record::findByIdFrom('User', $id);
if (isset($data['password'])) {
if (empty($user->salt)) {
$user->salt = AuthUser::generateSalt();
}
$data['password'] = AuthUser::generateHashedPassword($data['password'], $user->salt);
}
$user->setFromData($data);
if ($user->save()) {
if (AuthUser::hasPermission('user_edit')) {
// now we need to add permissions
$data = isset($_POST['user_permission']) ? $_POST['user_permission'] : array();
UserRole::setPermissionsFor($user->id, $data);
}
Flash::set('success', __('User has been saved!'));
Observer::notify('user_after_edit', $user->name);
} else {
Flash::set('error', __('User has not been saved!'));
}
if (AuthUser::getId() == $id) {
redirect(get_url('user/edit/' . $id));
} else {
redirect(get_url('user'));
}
}
public function delete($id)
{
if (!AuthUser::hasPermission('user_delete')) {
Flash::set('error', __('You do not have permission to access the requested page!'));
redirect(get_url());
}
// Sanity checks
use_helper('Validate');
if (!Validate::numeric($id)) {
Flash::set('error', __('Invalid input found!'));
redirect(get_url());
}
// CSRF checks
if (isset($_GET['csrf_token'])) {
$csrf_token = $_GET['csrf_token'];
if (!SecureToken::validateToken($csrf_token, BASE_URL . 'user/delete/' . $id)) {
Flash::set('error', __('Invalid CSRF token found!'));
redirect(get_url('user'));
}
} else {
Flash::set('error', __('No CSRF token found!'));
redirect(get_url('user'));
}
// security (dont delete the first admin)
if ($id > 1) {
// find the user to delete
if ($user = Record::findByIdFrom('User', $id)) {
if ($user->delete()) {
Flash::set('success', __('User <strong>:name</strong> has been deleted!', array(':name' => $user->name)));
Observer::notify('user_after_delete', $user->name);
} else {
Flash::set('error', __('User <strong>:name</strong> has not been deleted!', array(':name' => $user->name)));
}
} else {
Flash::set('error', __('User not found!'));
}
} else {
Flash::set('error', __('Action disabled!'));
}
redirect(get_url('user'));
}
public function rename()
{
if (!AuthUser::hasPermission('file_manager_rename')) {
Flash::set('error', __('You do not have sufficient permissions to rename this file or directory.'));
redirect(get_url('plugin/file_manager/browse/'));
}
// CSRF checks
if (isset($_POST['csrf_token'])) {
$csrf_token = $_POST['csrf_token'];
if (!SecureToken::validateToken($csrf_token, BASE_URL . 'plugin/file_manager/rename')) {
Flash::set('error', __('Invalid CSRF token found!'));
redirect(get_url('plugin/file_manager/browse/'));
}
} else {
Flash::set('error', __('No CSRF token found!'));
redirect(get_url('plugin/file_manager/browse/'));
}
$data = $_POST['file'];
$data['current_name'] = str_replace('..', '', $data['current_name']);
$data['new_name'] = str_replace('..', '', $data['new_name']);
// Clean filenames
$data['new_name'] = preg_replace('/ /', '_', $data['new_name']);
$data['new_name'] = preg_replace('/[^a-z0-9_\\-\\.]/i', '', $data['new_name']);
$path = substr($data['current_name'], 0, strrpos($data['current_name'], '/'));
$file = FILES_DIR . '/' . $data['current_name'];
// Check if trying to rename to php file (.php / .php3 etc)
$ext = strtolower(pathinfo($data['new_name'], PATHINFO_EXTENSION));
if (in_array($ext, ['php', 'php3', 'php4', 'inc'])) {
Flash::set('error', __('Not allowed to rename to :ext', $ext));
redirect(get_url('plugin/file_manager/browse/' . $path));
}
// Check another file doesn't already exist with same name
if (file_exists(FILES_DIR . '/' . $path . '/' . $data['new_name'])) {
Flash::set('error', __('A file or directory with that name already exists!'));
redirect(get_url('plugin/file_manager/browse/' . $path));
}
if (file_exists($file)) {
if (!rename($file, FILES_DIR . '/' . $path . '/' . $data['new_name'])) {
Flash::set('error', __('Permission denied!'));
}
} else {
Flash::set('error', __('File or directory not found!' . $file));
}
redirect(get_url('plugin/file_manager/browse/' . $path));
}
public function _action($action, $post)
{
global $pawUsers;
// VALIDATE STUFF AND PERFORM ACTION
$post = paw_xss_cleaner($post);
switch ($action) {
case "login":
if (!isset($post["user"]) || empty($post["user"])) {
$this->errors[] = __("You need to enter your Username or eMail address!");
return false;
}
if (!isset($post["password"]) || empty($post["password"])) {
$this->errors[] = __("You need to enter your Password!");
return false;
}
$perform = $pawUsers->login($post["user"], $post["password"], isset($post["remember"]));
break;
case "logout":
if (!isset($post["user"]) || empty($post["user"])) {
$this->errors[] = __("You need to enter your Username or eMail address!");
return false;
}
$current = $pawUsers->getCurrentUserID();
if (!isset($post["token"]) || !SecureToken::validateToken($post["token"], get_url("login/logout/" . $current))) {
$this->_error(__("The CSRF Token does not exist or is invalid!"));
return false;
}
Observer::notify("logout_requested");
$perform = $pawUsers->logout();
break;
case "register":
if (!isset($post["username"]) || empty($post["username"])) {
$this->errors[] = __("You need to enter your Username!");
return false;
}
if (!isset($post["mail"]) || empty($post["mail"])) {
$this->errors[] = __("You need to enter your eMail address!");
return false;
}
if (!isset($post["password"]) || !is_array($post["password"]) || count($post["password"]) !== 2) {
$this->errors[] = __("You need to enter and repeat your Password!");
return false;
}
if (empty($post["password"][0]) || empty($post["password"][1])) {
$this->errors[] = __("You need to enter and repeat your Password!");
return false;
}
$perform = $pawUsers->registration($post["username"], $post["mail"], $post["password"], NULL);
break;
case "activate":
if (!isset($post["code"]) || empty($post["code"])) {
$this->errors[] = __("You need to enter your Activation Code!");
return false;
}
if (!isset($post["user"]) || empty($post["user"])) {
$this->errors[] = __("You need to enter your Username or eMail address!");
return false;
}
if (!isset($post["password"]) || empty($post["password"])) {
$this->errors[] = __("You need to enter your Password!");
return false;
}
$perform = $pawUsers->activateUser($post["user"], $post["code"], $post["password"]);
break;
case "forgot":
if (!isset($post["user"]) || empty($post["user"])) {
$this->errors[] = __("You need to enter your Username or eMail address!");
return false;
}
$perform = $pawUsers->lostPassword($post["user"]);
break;
case "remember":
if (!isset($post["code"]) || empty($post["code"])) {
$this->errors[] = __("You need to enter your Remember-Password Code!");
return false;
}
if (!isset($post["user"]) || empty($post["user"])) {
$this->errors[] = __("You need to enter your Username or eMail address!");
return false;
}
if (!isset($post["password"]) || !is_array($post["password"]) || count($post["password"]) !== 2) {
$this->errors[] = __("You need to enter and repeat your new Password!");
return false;
}
if (empty($post["password"][0]) || empty($post["password"][1])) {
$this->errors[] = __("You need to enter and repeat your new Password!");
return false;
}
$perform = $pawUsers->rememberPassword($post["user"], $post["code"], $post["password"]);
break;
case "delete":
if (!isset($post["user"]) || empty($post["user"])) {
$this->errors[] = __("You need to enter your Username or eMail address!");
return false;
}
if (!isset($post["password"]) || empty($post["password"])) {
$this->errors[] = __("You need to enter your Password!");
return false;
}
$current = $pawUsers->getCurrentUserID();
if (!isset($post["token"]) || !SecureToken::validateToken($post["token"], get_url("login/delete/" . $current))) {
$this->_error(__("The CSRF Token does not exist or is invalid!"));
return false;
}
$perform = $pawUsers->deleteUser($post["user"], $post["password"]);
break;
default:
$this->errors(__("Unkown Action!"));
return false;
break;
}
// RETURN
if ($perform === true) {
if ($action === "logout") {
setcookie("expanded_rows", "", time() - 3600);
setcookie("meta_tab", "", time() - 3600);
setcookie("page_tab", "", time() - 3600);
Observer::notify("admin_after_logout", $post["user"]);
} else {
Observer::notify("admin_" . $action . "_success", $post["user"]);
}
return true;
}
if (!isset($post["user"]) && isset($post["username"])) {
$post["user"] = $post["username"];
}
if (isset($post["user"])) {
Observer::notify("admin_" . $action . "_failed", $post["user"]);
}
$this->errors = $pawUsers->errors;
return false;
}
public function ajax()
{
if (get_request_method() !== "AJAX") {
return false;
}
if (isset($_POST["action"]) && isset($_POST["token"])) {
if (!SecureToken::validateToken($_POST["token"], get_url("plugin/dashboard"))) {
echo json_encode(array("error" => __("The SecureToken is invalid.")));
return false;
}
if ($_POST["action"] == "save-widget-position") {
if (!isset($_POST["settings"])) {
$_POST["settings"] = array();
}
if (!array($_POST["settings"])) {
echo json_encode(array("error" => __("The Settings doesn't exist or are invalid!")));
return false;
}
$widgets = DashboardWidgets::$widgets;
$settings = array();
foreach ($_POST["settings"] as $widget => $position) {
if (!array_key_exists($widget, $widgets)) {
continue;
}
if (is_array($position) && count($position) == 2) {
if (is_numeric($position[0]) && is_numeric($position[1])) {
$settings[$widget] = array("part" => (int) $position[0], "order" => (int) $position[1]);
}
}
}
Plugin::setSetting("widget-position", serialize($settings), "dashboard");
echo json_encode(array("success" => __("Settings successfully saved.")));
return true;
}
if ($_POST["action"] == "enable-widget") {
if (!isset($_POST["settings"]) || !is_string($_POST["settings"])) {
echo json_encode(array("error" => __("The Settings doesn't exist or are invalid!")));
return false;
}
if (!array_key_exists($_POST["settings"], DashboardWidgets::$widgets)) {
echo json_encode(array("error" => __("The Widget doesn't exist!")));
return false;
}
$enable = DashboardWidgets::enableWidget($_POST["settings"]);
$widget = DashboardWidgets::getWidget($_POST["settings"]);
ob_start();
$this->renderWidget($widget);
$content = ob_get_contents();
ob_end_clean();
echo json_encode(array("content" => $content));
return true;
}
if ($_POST["action"] == "disable-widget") {
if (!array_key_exists($_POST["settings"], DashboardWidgets::$widgets)) {
echo json_encode(array("error" => __("The Widget doesn't exist!")));
return false;
}
DashboardWidgets::disableWidget($_POST["settings"]);
echo json_encode(array("success" => __("Settings successfully saved.")));
return true;
}
if ($_POST["action"] == "change-grid") {
if (!isset($_POST["settings"]) || !is_numeric($_POST["settings"])) {
echo json_encode(array("error" => __("The Settings doesn't exist or are invalid!")));
return false;
}
Plugin::setSetting("grid-size", $_POST["settings"], "dashboard");
echo json_encode(array("success" => __("Settings successfully saved.")));
return true;
}
}
}
/**
* Runs checks and stores a page.
*
* @param string $action What kind of action this is: add or edit.
* @param mixed $id Page to edit if any.
*/
private function _store($action, $id = false)
{
// Sanity checks
if ($action == 'edit' && !$id) {
throw new Exception('Trying to edit page when $id is false.');
}
use_helper('Validate');
$data = $_POST['page'];
$data['is_protected'] = !empty($data['is_protected']) ? 1 : 0;
Flash::set('post_data', (object) $data);
// Add pre-save checks here
$errors = false;
// CSRF checks
if (isset($_POST['csrf_token'])) {
$csrf_token = $_POST['csrf_token'];
if (!SecureToken::validateToken($csrf_token, BASE_URL . 'page/' . $action)) {
$errors[] = __('Invalid CSRF token found!');
}
} else {
$errors[] = __('No CSRF token found!');
}
$data['title'] = trim($data['title']);
if (empty($data['title'])) {
$errors[] = __('You have to specify a title!');
}
$data['slug'] = trim($data['slug']);
if (empty($data['slug']) && $id != '1') {
$errors[] = __('You have to specify a slug!');
} else {
if ($data['slug'] == ADMIN_DIR) {
$errors[] = __('You cannot have a slug named :slug!', array(':slug' => ADMIN_DIR));
}
if (!Validate::slug($data['slug']) && (!empty($data['slug']) && $id == '1')) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => 'slug'));
}
}
// Check all numerical fields for a page
$fields = array('parent_id', 'layout_id', 'needs_login');
foreach ($fields as $field) {
if (!Validate::digit($data[$field])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field));
}
}
// Check all date fields for a page
$fields = array('created_on', 'published_on', 'valid_until');
foreach ($fields as $field) {
if (isset($data[$field])) {
$data[$field] = trim($data[$field]);
if (!empty($data[$field]) && !(bool) preg_match('/^[0-9]{4}-[0-9]{2}-[0-9]{2}$/D', (string) $data[$field])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field));
}
}
}
// Check all time fields for a page
$fields = array('created_on_time', 'published_on_time', 'valid_until_time');
foreach ($fields as $field) {
if (isset($data[$field])) {
$data[$field] = trim($data[$field]);
if (!empty($data[$field]) && !(bool) preg_match('/^[0-9]{2}:[0-9]{2}:[0-9]{2}$/D', (string) $data[$field])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field));
}
}
}
// Check alphanumerical fields
$fields = array('keywords', 'description');
foreach ($fields as $field) {
use_helper('Kses');
$data[$field] = kses(trim($data[$field]), array());
/*
if (!empty($data[$field]) && !Validate::alpha_comma($data[$field])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field));
}
*
*/
}
// Check behaviour_id field
if (!empty($data['behaviour_id']) && !Validate::slug($data['behaviour_id'])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => 'behaviour_id'));
}
// Make sure the title doesn't contain HTML
if (Setting::get('allow_html_title') == 'off') {
use_helper('Kses');
$data['title'] = kses(trim($data['title']), array());
}
// Create the page object to be manipulated and populate data
if ($action == 'add') {
$page = new Page($data);
} else {
$page = Record::findByIdFrom('Page', $id);
$page->setFromData($data);
}
// Upon errors, rebuild original page and return to screen with errors
if (false !== $errors) {
$tags = $_POST['page_tag'];
// Rebuild time fields
if (isset($page->created_on)) {
$page->created_on = $page->created_on . ' ' . $page->created_on_time;
}
if (isset($page->published_on)) {
$page->published_on = $page->published_on . ' ' . $page->published_on_time;
}
if (isset($page->valid_until)) {
$page->valid_until = $page->valid_until . ' ' . $page->valid_until_time;
}
// Rebuild parts
$part = $_POST['part'];
if (!empty($part)) {
$tmp = false;
foreach ($part as $key => $val) {
$tmp[$key] = (object) $val;
}
$part = $tmp;
}
// Set the errors to be displayed.
Flash::setNow('error', implode('<br/>', $errors));
// display things ...
$this->setLayout('backend');
$this->display('page/edit', array('action' => $action, 'csrf_token' => SecureToken::generateToken(BASE_URL . 'page/' . $action), 'page' => (object) $page, 'tags' => $tags, 'filters' => Filter::findAll(), 'behaviors' => Behavior::findAll(), 'page_parts' => (object) $part, 'layouts' => Record::findAllFrom('Layout')));
}
// Notify
if ($action == 'add') {
Observer::notify('page_add_before_save', $page);
} else {
Observer::notify('page_edit_before_save', $page);
}
// Time to actually save the page
// @todo rebuild this so parts are already set before save?
// @todo determine lazy init impact
if ($page->save()) {
// Get data for parts of this page
$data_parts = $_POST['part'];
Flash::set('post_parts_data', (object) $data_parts);
if ($action == 'edit') {
$old_parts = PagePart::findByPageId($id);
// check if all old page part are passed in POST
// if not ... we need to delete it!
foreach ($old_parts as $old_part) {
$not_in = true;
foreach ($data_parts as $part_id => $data) {
$data['name'] = trim($data['name']);
if ($old_part->name == $data['name']) {
$not_in = false;
// this will not really create a new page part because
// the id of the part is passed in $data
$part = new PagePart($data);
$part->page_id = $id;
Observer::notify('part_edit_before_save', $part);
$part->save();
Observer::notify('part_edit_after_save', $part);
unset($data_parts[$part_id]);
break;
}
}
if ($not_in) {
$old_part->delete();
}
}
}
// add the new parts
foreach ($data_parts as $data) {
$data['name'] = trim($data['name']);
$part = new PagePart($data);
$part->page_id = $page->id;
Observer::notify('part_add_before_save', $part);
$part->save();
Observer::notify('part_add_after_save', $part);
}
// save tags
$page->saveTags($_POST['page_tag']['tags']);
Flash::set('success', __('Page has been saved!'));
} else {
Flash::set('error', __('Page has not been saved!'));
$url = 'page/';
$url .= $action == 'edit' ? 'edit/' . $id : 'add/';
redirect(get_url($url));
}
if ($action == 'add') {
Observer::notify('page_add_after_save', $page);
} else {
Observer::notify('page_edit_after_save', $page);
}
// save and quit or save and continue editing ?
if (isset($_POST['commit'])) {
redirect(get_url('page'));
} else {
redirect(get_url('page/edit/' . $page->id));
}
}
/**
* Saves the edited Snippet.
*
* @todo Merge _edit() and edit()
*
* @param string $id Snippet id.
*/
private function _edit($id)
{
$data = $_POST['snippet'];
$data['id'] = $id;
// CSRF checks
if (isset($_POST['csrf_token'])) {
$csrf_token = $_POST['csrf_token'];
if (!SecureToken::validateToken($csrf_token, BASE_URL . 'snippet/edit')) {
Flash::set('post_data', (object) $data);
Flash::set('error', __('Invalid CSRF token found!'));
Observer::notify('csrf_token_invalid', AuthUser::getUserName());
redirect(get_url('snippet/edit/' . $id));
}
} else {
Flash::set('post_data', (object) $data);
Flash::set('error', __('No CSRF token found!'));
Observer::notify('csrf_token_not_found', AuthUser::getUserName());
redirect(get_url('snippet/edit/' . $id));
}
$snippet = new Snippet($data);
if (!$snippet->save()) {
Flash::set('post_data', (object) $data);
Flash::set('error', __('Snippet :name has not been saved. Name must be unique!', array(':name' => $snippet->name)));
redirect(get_url('snippet/edit/' . $id));
} else {
Flash::set('success', __('Snippet :name has been saved!', array(':name' => $snippet->name)));
Observer::notify('snippet_after_edit', $snippet);
}
// save and quit or save and continue editing?
if (isset($_POST['commit'])) {
redirect(get_url('snippet'));
} else {
redirect(get_url('snippet/edit/' . $id));
}
}
/**
* Runs checks and stores a page.
*
* @param string $action What kind of action this is: add or edit.
* @param mixed $id Page to edit if any.
*/
private function _store($action, $id = false)
{
// Sanity checks
if ($action == 'edit' && !$id) {
throw new Exception('Trying to edit page when $id is false.');
}
use_helper('Validate');
$data = $_POST['page'];
$data['is_protected'] = !empty($data['is_protected']) ? 1 : 0;
Flash::set('post_data', (object) $data);
$pagesetting = array();
//For homepage info & about page info okstmtcc
if ($id == 1 || $id == 4) {
$upload = $_POST['upload'];
$pagesetting = $_POST['pagesetting'];
//Flash::set('post_settingdata', (object) $pagesetting);
}
// Add pre-save checks here
$errors = false;
$error_fields = false;
// CSRF checks
if (isset($_POST['csrf_token'])) {
$csrf_token = $_POST['csrf_token'];
$csrf_id = '';
if ($action === 'edit') {
$csrf_id = '/' . $id;
}
if (!SecureToken::validateToken($csrf_token, BASE_URL . 'page/' . $action . $csrf_id)) {
$errors[] = __('Invalid CSRF token found!');
}
} else {
$errors[] = __('No CSRF token found!');
}
$data['title'] = trim($data['title']);
if (empty($data['title'])) {
$error_fields[] = __('Page Title');
}
/** homepage setting check okstmtcc **/
if ($id == 1) {
/** homepage page title **/
if (empty($pagesetting['homepage_discover_title'])) {
$error_fields[] = __('Homepage Title');
}
if (empty($pagesetting['homepage_discover_teaser'])) {
$error_fields[] = __('Homepage Teaser');
}
/** highlight 1 **/
// if (empty($pagesetting['highlight_title'])){
// $error_fields[] = __('Highlight 1´s Title');
// }
// if (empty($pagesetting['highlight_text1'])){
// $error_fields[] = __('Highlight 1´s Text 1');
// }
// if (empty($pagesetting['highlight_url'])){
// $error_fields[] = __('Highlight 1´s Read More URL');
// }
// $pagesetting_ori = PageSetting::init();
// if (isset($_FILES)) {
// if(empty($_FILES['upload_highlight_image']['name'])){
// $pagesetting['highlight_image'] = $pagesetting_ori->highlight_image;
// } else {
// $pagesetting['highlight_image'] = $_FILES['upload_highlight_image']['name'];
// }
// } else {
// $pagesetting['highlight_image'] = $pagesetting_ori->highlight_image;
// }
// if (empty($pagesetting['highlight_image'])){
// $error_fields[] = __('Highlight 1´s Image');
// }
// /** highlight 2 **/
// if (empty($pagesetting['highlight2_title'])){
// $error_fields[] = __('Highlight 2´s Title');
// }
// if (empty($pagesetting['highlight2_text1'])){
// $error_fields[] = __('Highlight 2´s Text 1');
// }
// if (empty($pagesetting['highlight2_url'])){
// $error_fields[] = __('Highlight 2´s Read More URL');
// }
// if (isset($_FILES)) {
// if(empty($_FILES['upload_highlight2_image']['name'])){
// $pagesetting['highlight2_image'] = $pagesetting_ori->highlight2_image;
// } else {
// $pagesetting['highlight2_image'] = $_FILES['upload_highlight2_image']['name'];
// }
// } else {
// $pagesetting['highlight2_image'] = $pagesetting_ori->highlight2_image;
// }
// if (empty($pagesetting['highlight2_image'])){
// $error_fields[] = __('Highlight 2´s Image');
// }
// if (isset($_FILES)) {
// if(empty($_FILES['upload_newdev_image']['name'])){
// $pagesetting['newdev_image'] = $pagesetting_ori->newdev_image;
// } else {
// $pagesetting['newdev_image'] = $_FILES['upload_newdev_image']['name'];
// }
// } else {
// $pagesetting['newdev_image'] = $pagesetting_ori->newdev_image;
// }
// if (empty($pagesetting['newdev_image'])){
// $error_fields[] = __('New Development Image');
// }
}
/** homepage setting check okstmtcc **/
$data['slug'] = !empty($data['slug']) ? trim($data['slug']) : '';
if (empty($data['slug']) && $id != '1') {
$error_fields[] = __('Slug');
} else {
if ($data['slug'] == ADMIN_DIR) {
$errors[] = __('You cannot have a slug named :slug!', array(':slug' => ADMIN_DIR));
}
if (!Validate::slug($data['slug']) && (!empty($data['slug']) && $id == '1')) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => 'slug'));
}
}
// Check all numerical fields for a page
$fields = array('parent_id', 'layout_id', 'needs_login');
foreach ($fields as $field) {
if (!Validate::digit($data[$field])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field));
}
}
// Check all date fields for a page
$fields = array('created_on', 'published_on', 'valid_until');
foreach ($fields as $field) {
if (isset($data[$field])) {
$data[$field] = trim($data[$field]);
if (!empty($data[$field]) && !(bool) preg_match('/^[0-9]{4}-[0-9]{2}-[0-9]{2}$/D', (string) $data[$field])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field));
}
}
}
// Check all time fields for a page
$fields = array('created_on_time', 'published_on_time', 'valid_until_time');
foreach ($fields as $field) {
if (isset($data[$field])) {
$data[$field] = trim($data[$field]);
if (!empty($data[$field]) && !(bool) preg_match('/^[0-9]{2}:[0-9]{2}:[0-9]{2}$/D', (string) $data[$field])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field));
}
}
}
// Check alphanumerical fields
$fields = array('keywords', 'description');
foreach ($fields as $field) {
use_helper('Kses');
$data[$field] = kses(trim($data[$field]), array());
/*
if (!empty($data[$field]) && !Validate::alpha_comma($data[$field])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field));
}
*
*/
}
// Check behaviour_id field
if (!empty($data['behaviour_id']) && !Validate::slug($data['behaviour_id'])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => 'behaviour_id'));
}
// Make sure the title doesn't contain HTML
if (Setting::get('allow_html_title') == 'off') {
use_helper('Kses');
$data['title'] = kses(trim($data['title']), array());
}
// Create the page object to be manipulated and populate data
if ($action == 'add') {
$page = new Page($data);
} else {
$page = Record::findByIdFrom('Page', $id);
$page->setFromData($data);
}
// Upon errors, rebuild original page and return to screen with errors
if (false !== $errors || $error_fields !== false) {
$tags = $_POST['page_tag'];
// Rebuild time fields
if (isset($page->created_on) && isset($page->created_on_time)) {
$page->created_on = $page->created_on . ' ' . $page->created_on_time;
}
if (isset($page->published_on) && isset($page->published_on_time)) {
$page->published_on = $page->published_on . ' ' . $page->published_on_time;
}
if (isset($page->valid_until)) {
$page->valid_until = $page->valid_until . ' ' . $page->valid_until_time;
}
// Rebuild parts
$part = '';
if (!empty($_POST['part'])) {
$part = $_POST['part'];
$tmp = false;
foreach ($part as $key => $val) {
$tmp[$key] = (object) $val;
}
$part = $tmp;
}
// Set the errors to be displayed.
$err_msg = $errors != false ? implode('<br/>', $errors) : '';
$err_msg .= $error_fields != false ? '<br />Please specify these fields: ' . implode(', ', $error_fields) : '';
Flash::setNow('error', $err_msg);
//$settingdata = 'aaa';
// display things ...
$this->setLayout('backend');
$pagesettingobj = new stdClass();
foreach ($pagesetting as $name => $value) {
$pagesettingobj->{$name} = $value;
}
$this->display('page/edit', array('action' => $action, 'csrf_token' => SecureToken::generateToken(BASE_URL . 'page/' . $action), 'page' => (object) $page, 'pagesetting' => $pagesettingobj, 'tags' => $tags, 'filters' => Filter::findAll(), 'behaviors' => Behavior::findAll(), 'page_parts' => $part, 'layouts' => Record::findAllFrom('Layout')));
}
// Notify
if ($action == 'add') {
Observer::notify('page_add_before_save', $page);
} else {
Observer::notify('page_edit_before_save', $page);
}
// Time to actually save the page
// @todo rebuild this so parts are already set before save?
// @todo determine lazy init impact
$page->newwindow = !empty($data['newwindow']) ? '1' : '0';
if ($page->save()) {
// Get data for parts of this page
$data_parts = $_POST['part'];
Flash::set('post_parts_data', (object) $data_parts);
if ($action == 'edit') {
$old_parts = PagePart::findByPageId($id);
// check if all old page part are passed in POST
// if not ... we need to delete it!
foreach ($old_parts as $old_part) {
$not_in = true;
foreach ($data_parts as $part_id => $data) {
$data['name'] = trim($data['name']);
if ($old_part->name == $data['name']) {
$not_in = false;
// this will not really create a new page part because
// the id of the part is passed in $data
$part = new PagePart($data);
$part->page_id = $id;
Observer::notify('part_edit_before_save', $part);
$part->save();
Observer::notify('part_edit_after_save', $part);
unset($data_parts[$part_id]);
break;
}
}
if ($not_in) {
$old_part->delete();
}
}
}
// add the new parts
foreach ($data_parts as $data) {
$data['name'] = trim($data['name']);
$part = new PagePart($data);
$part->page_id = $page->id;
Observer::notify('part_add_before_save', $part);
$part->save();
Observer::notify('part_add_after_save', $part);
}
// save tags
$page->saveTags($_POST['page_tag']['tags']);
// save homepage banner info okstmtcc
if ($id == 1) {
// upload home banner image 1, 2
if (isset($_FILES) && !empty($_FILES['upload_banner_image1']['name'])) {
//okstmtcc 20150827 Replace image filename spaces
$_FILES['upload_banner_image1']['name'] = str_replace(array(" ", "(", ")"), array("_", "", ""), $_FILES['upload_banner_image1']['name']);
$file = $this->upload_file($_FILES['upload_banner_image1']['name'], FILES_DIR . '/pagesetting/images/', $_FILES['upload_banner_image1']['tmp_name'], $overwrite);
if ($file === false) {
Flash::set('error', __('Home banner could not be uploaded!'));
redirect(get_url('page/edit/1'));
} else {
$pagesetting['banner_image1'] = $file;
}
}
if (isset($_FILES) && !empty($_FILES['upload_banner_image2']['name'])) {
//okstmtcc 20150827 Replace image filename spaces
$_FILES['upload_banner_image2']['name'] = str_replace(array(" ", "(", ")"), array("_", "", ""), $_FILES['upload_banner_image2']['name']);
$file = $this->upload_file($_FILES['upload_banner_image2']['name'], FILES_DIR . '/pagesetting/images/', $_FILES['upload_banner_image2']['tmp_name'], $overwrite);
if ($file === false) {
Flash::set('error', __('Home banner could not be uploaded!'));
redirect(get_url('page/edit/1'));
} else {
$pagesetting['banner_image2'] = $file;
}
}
PageSetting::saveFromData($pagesetting);
}
// save homepage banner info okstmtcc
// save about banner info okstmtcc
if ($id == 4) {
// upload about page image 1
if (isset($_FILES) && !empty($_FILES['upload_about_image1']['name'])) {
//okstmtcc 20150827 Replace image filename spaces
$_FILES['upload_about_image1']['name'] = str_replace(array(" ", "(", ")"), array("_", "", ""), $_FILES['upload_about_image1']['name']);
$file = $this->upload_file($_FILES['upload_about_image1']['name'], FILES_DIR . '/pagesetting/images/', $_FILES['upload_about_image1']['tmp_name'], $overwrite);
if ($file === false) {
Flash::set('error', __('Home banner could not be uploaded!'));
redirect(get_url('page/edit/1'));
} else {
$pagesetting['about_image1'] = $file;
}
}
PageSetting::saveFromData($pagesetting);
}
// save about banner info okstmtcc
Flash::set('success', __('Page has been saved.'));
} else {
Flash::set('error', __('Page has not been saved!'));
$url = 'page/';
$url .= $action == 'edit' ? 'edit/' . $id : 'add/';
redirect(get_url($url));
}
if ($action == 'add') {
Observer::notify('page_add_after_save', $page);
} else {
Observer::notify('page_edit_after_save', $page);
}
// save and quit or save and continue editing ?
if (isset($_POST['commit'])) {
redirect(get_url('page'));
} else {
redirect(get_url('page/edit/' . $page->id));
}
}
private function _edit($id)
{
$data = $_POST['user'];
// CSRF checks
if (isset($_POST['csrf_token'])) {
$csrf_token = $_POST['csrf_token'];
if (!SecureToken::validateToken($csrf_token, BASE_URL . 'user/edit')) {
Flash::set('error', __('Invalid CSRF token found!'));
redirect(get_url('user/add'));
}
} else {
Flash::set('error', __('No CSRF token found!'));
redirect(get_url('user/edit'));
}
// check if user want to change the password
if (strlen($data['password']) > 0) {
// check if pass and confirm are egal and >= 5 chars
if (strlen($data['password']) >= 5 && $data['password'] == $data['confirm']) {
unset($data['confirm']);
} else {
Flash::set('error', __('Password and Confirm are not the same or too small!'));
redirect(get_url('user/edit/' . $id));
}
} else {
unset($data['password'], $data['confirm']);
}
$user = Record::findByIdFrom('User', $id);
if (isset($data['password'])) {
$data['password'] = AuthUser::generateHashedPassword($data['password'], $user->salt);
}
$user->setFromData($data);
if ($user->save()) {
if (AuthUser::hasPermission('administrator')) {
// now we need to add permissions
$data = isset($_POST['user_permission']) ? $_POST['user_permission'] : array();
UserPermission::setPermissionsFor($user->id, $data);
}
Flash::set('success', __('User has been saved!'));
} else {
Flash::set('error', __('User has not been saved!'));
}
if (AuthUser::getId() == $id) {
redirect(get_url('user/edit/' . $id));
} else {
redirect(get_url('user'));
}
}
/**
* Allows a user to logout.
*/
function logout()
{
// CSRF checks
if (isset($_GET['csrf_token'])) {
$csrf_token = $_GET['csrf_token'];
if (!SecureToken::validateToken($csrf_token, BASE_URL . 'login/logout')) {
Flash::set('error', __('Invalid CSRF token found!'));
redirect(get_url());
}
} else {
Flash::set('error', __('No CSRF token found!'));
redirect(get_url());
}
// Allow plugins to handle logout events
Observer::notify('logout_requested');
$username = AuthUser::getUserName();
AuthUser::logout();
// Also eat cookies that were set by JS for backend gui
setcookie("expanded_rows", "", time() - 3600);
setcookie("meta_tab", "", time() - 3600);
setcookie("page_tab", "", time() - 3600);
Observer::notify('admin_after_logout', $username);
redirect(get_url());
}
/**
* Saves the settings.
*/
private final function _save()
{
$data = $_POST['setting'];
// CSRF checks
if (isset($_POST['csrf_token'])) {
$csrf_token = $_POST['csrf_token'];
if (!SecureToken::validateToken($csrf_token, BASE_URL . 'setting')) {
Flash::set('error', __('Invalid CSRF token found!'));
Observer::notify('csrf_token_invalid', AuthUser::getUserName());
redirect(get_url('setting'));
}
} else {
Flash::set('error', __('No CSRF token found!'));
Observer::notify('csrf_token_not_found', AuthUser::getUserName());
redirect(get_url('setting'));
}
if (!isset($data['allow_html_title'])) {
$data['allow_html_title'] = 'off';
}
Setting::saveFromData($data);
Flash::set('success', __('Settings have been saved!'));
redirect(get_url('setting'));
}
/**
* Allows a user to logout.
*/
function logout()
{
// CSRF checks
if (isset($_GET['csrf_token'])) {
$csrf_token = $_GET['csrf_token'];
if (!SecureToken::validateToken($csrf_token, BASE_URL . 'login/logout')) {
Flash::set('error', __('Invalid CSRF token found!'));
redirect(get_url());
}
} else {
Flash::set('error', __('No CSRF token found!'));
redirect(get_url());
}
// Allow plugins to handle logout events
Observer::notify('logout_requested');
$username = AuthUser::getUserName();
AuthUser::logout();
Observer::notify('admin_after_logout', $username);
redirect(get_url());
}
private function _saveSettings($post, $type)
{
$this->_check("user_config");
// VALIDATE REQUEST
if (!isset($post["token"]) || !SecureToken::validateToken($post["token"], get_url("user/settings/" . $type))) {
$this->errors[] = __("The CSRF Token does not exist or is invalid!");
return false;
}
$settings = $this->_validateSettings($post, $type);
// UPDATE AND REDIRECT
if (!empty($settings)) {
if (Plugin::setAllSettings($settings, "paw_users")) {
$this->_redirect(get_url("user/settings/success#" . $type));
}
}
$this->errors[] = __("An unknown error is occurred!");
return false;
}
public static function setWidgetSettings($widget, $settings)
{
if (!array_key_exists($widget, self::$widgets)) {
return false;
}
$widget = self::$widgets[$widget];
if (!is_callable($widget["settings_cb"])) {
return false;
}
// CHECK SECURE TOKEN
if (!isset($settings["widget_secure_token"])) {
return false;
}
if (!SecureToken::validateToken($settings["widget_secure_token"], get_url("plugin/dashboard/" . $widget["id"]))) {
return false;
}
// FETCH SETTINGS
$newsettings = array();
foreach ($widget["settings"] as $key => $value) {
if (array_key_exists($key, $settings)) {
$newsettings[$key] = $settings[$key];
} else {
$newsettings[$key] = NULL;
}
}
// SET NEW SETTINGS
$newsettings = call_user_func($widget["settings_cb"], $newsettings, false);
Plugin::setAllSettings($newsettings, "dashboard-" . $widget["id"]);
}
function edit_feature($id)
{
// check if trying to save
if (get_request_method() == 'POST') {
// form submission
$this->_checkPermission();
if (isset($_POST['csrf_token'])) {
$csrf_token = $_POST['csrf_token'];
if (!SecureToken::validateToken($csrf_token, BASE_URL . 'facilities/edit_feature/' . $id)) {
Flash::set('error', __('Invalid CSRF token found!'));
redirect(get_url('facilities/edit_feature/' . $id));
}
} else {
Flash::set('error', __('No CSRF token found!'));
redirect(get_url('facilities/edit_feature/' . $id));
}
$data = $_POST['upload'];
$path = str_replace('..', '', $data['path']);
$overwrite = isset($data['overwrite']) ? true : false;
$title = $_POST['title'];
$featureimage = FeatureImage::findById($id);
if (!empty($_FILES['upload_feature_file']['name']) && !file_exists(FILES_DIR . '/facilities/feature/' . $_FILES['upload_feature_file']['tmp_name'])) {
$file = $this->upload_feature_file($featureimage->facilitiesid, $featureimage->id, $title, $_FILES['upload_feature_file']['name'], FILES_DIR . '/facilities/feature/', $_FILES['upload_feature_file']['tmp_name'], $overwrite);
if ($file === false) {
Flash::set('error', __('File has not been uploaded!'));
redirect(get_url('facilities/edit_feature/' . $id));
}
} else {
$featureimage->title = $title;
if (!$featureimage->save()) {
Flash::set('error', __('Feature could not be saved!'));
} else {
Flash::set('success', __('Feature has been saved!'));
}
}
if (isset($_POST['commit'])) {
redirect(get_url('facilities/edit/' . $featureimage->facilitiesid));
} else {
redirect(get_url('facilities/edit_feature/' . $id));
}
} else {
// display edit page
$feature = FeatureImage::findById($id);
$this->display('facilities/edit_feature', array('csrf_token' => SecureToken::generateToken(BASE_URL . 'facilities/edit_feature/' . $id), 'feature' => $feature));
}
}
public function deleteUser($data, $verify)
{
$data = paw_xss_cleaner($data);
$user = $this->_getUser($data);
if (empty($user)) {
$this->_error(__("The User does not exist!"));
return false;
}
// CHECK IF ADMIN
if ($this->permissions->isRole("administrator", $user->id)) {
$this->_error(__("The user is an Administrator and Admins cannot be deleted!"));
return false;
}
// CHECK PERMISSION
if ((int) $this->currentID === (int) $user->id) {
if ($this->config["account_deletion"] == 0) {
$this->_error(__("You cannot delete your own Account, please contact an Administrator!"));
return false;
}
if (!$this->_checkPassword($user, $verify)) {
$this->_error(__("The Password is incorrect!"));
return false;
}
} else {
if ($this->permissions->hasPermission("user_delete")) {
if (!SecureToken::validateToken($verify, get_url("user/delete/" . $user->id . "/" . $this->currentID))) {
$this->_error(__("The CSRF Token does not exist or is invalid!"));
return false;
}
} else {
$this->_error(__("You don't have the Permission to perform this action!"));
return false;
}
}
// DELETE USER ACCOUNT
$query = "DELETE FROM " . TABLE_PREFIX . "user WHERE id=" . $user->id;
if (Record::query($query) !== false) {
Record::query("DELETE FROM " . TABLE_PREFIX . "user_meta WHERE user_id=" . $user->id);
Record::query("DELETE FROM " . TABLE_PREFIX . "user_role WHERE user_id=" . $user->id);
if ((int) $this->currentID === (int) $user->id) {
$this->logout(true);
}
return true;
}
return false;
}
private function _edit($id)
{
use_helper('Validate');
$data = $_POST['testimonial'];
Flash::set('testimonial_postdata', $data);
$errors = false;
// CSRF checks
if (isset($_POST['csrf_token'])) {
$csrf_token = $_POST['csrf_token'];
if (!SecureToken::validateToken($csrf_token, BASE_URL . 'testimonial/edit/' . $id)) {
Flash::set('error', __('Invalid CSRF token found!'));
redirect(get_url('testimonial/edit/' . $id));
}
} else {
Flash::set('error', __('No CSRF token found!'));
redirect(get_url('testimonial/edit/' . $id));
}
if (empty($data['name'])) {
Flash::set('error', __('You have to specify a name!'));
redirect(get_url('testimonial/add'));
}
if ($errors !== false) {
// Set the errors to be displayed.
Flash::set('error', implode('<br/>', $errors));
redirect(get_url('testimonial/edit/' . $id));
}
$testimonial = Record::findByIdFrom('Testimonial', $id);
$testimonial->setFromData($data);
$testimonial->updated_by_id = AuthUser::getId();
$testimonial->updated_on = date('Y-m-d H:i:s');
if ($testimonial->save()) {
// print_r($_FILES);exit;
/*if (isset($_FILES)) {
if(strlen($_FILES['upload_file']['name'])>0||strlen($_FILES['upload_file_home']['name'])>0){
$overwrite=false;
if(strlen($_FILES['upload_file']['name'])>0){
$file = $this->upload_pdf_file($id, $_FILES['upload_file']['name'], FILES_DIR.'/testimonial/images/', $_FILES['upload_file']['tmp_name'], $overwrite);
}
if(strlen($_FILES['upload_file_home']['name'])>0){
$file2 = $this->upload_pdf_file2($id, $_FILES['upload_file_home']['name'], FILES_DIR.'/testimonial/home/', $_FILES['upload_file_home']['tmp_name'], $overwrite);
}
if ($file === false||$file2 === false)
Flash::set('error', __('File has not been uploaded!'));
redirect(get_url('testimonial/edit/'.$id));
}
}*/
Flash::set('success', __('Testimonial has been saved!'));
Observer::notify('testimonial_after_edit', $testimonial->name);
} else {
Flash::set('error', __('Testimonial has not been saved1!'));
}
// save and quit or save and continue editing?
if (isset($_POST['commit'])) {
redirect(get_url('testimonial'));
} else {
redirect(get_url('testimonial/edit/' . $id));
}
}
public function chmod()
{
if (!AuthUser::hasPermission('file_manager_chmod')) {
Flash::set('error', __('You do not have sufficient permissions to change the permissions on a file or directory.'));
redirect(get_url('plugin/file_manager/browse/'));
}
// CSRF checks
if (isset($_POST['csrf_token'])) {
$csrf_token = $_POST['csrf_token'];
if (!SecureToken::validateToken($csrf_token, BASE_URL . 'plugin/file_manager/chmod')) {
Flash::set('error', __('Invalid CSRF token found!'));
redirect(get_url('plugin/file_manager/browse/'));
}
} else {
Flash::set('error', __('No CSRF token found!'));
redirect(get_url('plugin/file_manager/browse/'));
}
$data = $_POST['file'];
$data['name'] = str_replace('..', '', $data['name']);
$file = FILES_DIR . '/' . $data['name'];
if (file_exists($file)) {
if (@(!chmod($file, octdec($data['mode'])))) {
Flash::set('error', __('Permission denied!'));
}
} else {
Flash::set('error', __('File or directory not found!'));
}
$path = substr($data['name'], 0, strrpos($data['name'], '/'));
redirect(get_url('plugin/file_manager/browse/' . $path));
}
